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C^") , Abstract. We employ tropical algebras as platforms for several cryptographic 

schemes that would be vulnerable to linear algebra attacks were they based on "usual" 
algebras as platforms. 
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1. Introduction 



u 

■ In this paper, we employ tropical algebras as platforms for several cryptographic 

schemes. The schemes themselves are not brand new; similar ideas were used in the 
"classical" case, i.e., for algebras with the familiar addition and multiplication. How- 
ever, in the classical case these schemes were shown to be vulnerable to various linear 
algebra attacks. Here we make a case for using tropical algebras as platforms by using, 
q>^ ■ among other things, the fact that in the "tropical" case, even solving systems of linear 

equations is computationally infeasible in general. Yet another advantage is improved 
efficiency because in tropical schemes, one does not have to perform any multiplications 
of numbers since tropical multiplication is the usual addition, see below. 

We start by giving some necessary information on tropical algebras here; for more 
details, we refer the reader to a recent monograph [2]. 

Consider a tropical semiring S (also known as the min-plus algebra due to the fol- 
lowing definition). This semiring is defined as a subset of reals that contains and is 
rS ■ closed under addition, with two operations as follows: 



x © y = min(x, y) 
x <g> y = x + y. 

It is straightforward to see that these operations satisfy the following properties: 
associativity: 

x®(y®z) = {x®y)®z 
x <g> (y <S> z) = (x <S> y) <8> z. 
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commutativity: 
x © y = y © x 
x ®y = y ® x. 

distributivity: 

(x © y) z = (x z) © (y © z). 

There are some "counterintuitive" properties as well: 

x © x = x 

x © = x 

x © could be either or x. 

There is also a special "e-element" e = oo such that, for any x S S, 

e © x = x 
e © x = e. 

A (tropical) monomial in S looks like a usual linear function, and a tropical poly- 
nomial is the minimum of a finite number of such functions, and therefore a concave, 
piecewise linear function. The rules for the order in which tropical operations are 
performed are the same as in the classical case, see the example below. 

Example 1. Here is an example of a tropical monomial: x®x®y®z®z. The (tropical) 
degree of this monomial is 5. We note that sometimes, people use the alternative 
notation x® 2 for x © x, etc. 

An example of a tropical polynomial is: p(x, y,z) =50x0y0z©x0x©2®z©17= 
(5 © x © y © z) © (x © x) © (2 © z) © 17. This polynomial has ( tropical) degree 3, by the 
highest degree of its monomials. 

We note that, just as in the classical case, a tropical polynomial is canonically rep- 
resented by an ordered set of tropical monomials (together with non-zero coefficients), 
where the order that we use here is deglex. 

While the © operation is obviously not invertible, the © operation is, and we denote 
the inverse of this operation by (it is just the classical subtraction): 

x y = z if and only if y z = x. 

We refer to [8] for more detailed properties of this operation; here we just mention 
the following properties that agree with those of the usual division: 

(x y) © (z t) = (x © z) © (y © t) 

(x0y)®(z0t) = ((x ® t) © (y z)) (y t). 

Also as in the classical case, there is an equivalence relation on the set of all expres- 
sions of the form x y: 

x y is equivalent to z t if and only if x t = y z. 

All expressions of the form x y, where x,y € S, modulo the above equivalence, 
form a semifield (of quotients of S), which we denote by Rat(S), see [8]. 
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1.1. Tropical matrix algebra. A tropical algebra can be used for matrix operations 
as well. To perform the A © B operation, the elements rriij of the resulting matrix 
M are set to be equal to dij © bij. The © operation is similar to the usual matrix 
multiplication, however, every "+" calculation has to be substituted by a © operation, 
and every "•" calculation by a © operation. 



The role of the identity matrix / is played by the matrix that has "0" s on the diagonal 
and oo elsewhere. Similarly, a scalar matrix would be a matrix with an element A € S on 
the diagonal and oo elsewhere. Such a matrix commutes with any other square matrix 
(of the same size). Multiplying a square matrix by a scalar amounts to multiplying it 
by the corresponding scalar matrix. 



Then, tropical diagonal matrices have something on the diagonal and oo elsewhere. 

We also note that, in contrast with the "classical" situation, it is rather rare that 
a "tropical" matrix is invertible. More specifically (see (21 p.5]), the only invertible 
tropical matrices are those that are obtained from a diagonal matrix by permuting 
rows and/or columns. 

2. Key exchange using matrices over a tropical algebra 

We are now going to offer a key exchange protocol building on an idea of Stickel [13] 
who used it for matrices over "usual" algebras, which made his scheme vulnerable to 
linear algebra attacks, see e.g. |11| . Since we believe that Stickel's idea itself has a 
good potential, we suggest here to use matrices over a tropical algebra as the platform 
for his scheme, in order to prevent linear algebra attacks. 

We start by recalling the original Stickel's protocol. Let G be a public non- 
commutative semigroup, a, b € G public elements such that ab ^ ba. The key exchange 
protocol goes as follows. 

2.1. Protocol 1 [13]. 

(1) Alice picks two random natural numbers n,m and sends u = a n b m to Bob. 

(2) Bob picks two random natural numbers r, s and sends v = a r b s to Alice. 

(3) Alice computes K A = a n vb m = a n+r b m+s . 

(4) Bob computes K B = a r ub s = a n+r b m+s . 

Thus, Alice and Bob end up with the same group element K = Ka = Kb which can 
serve as the shared secret key. 

This can be generalized if the platform is not just a semigroup, but a ring (actually, 
a semiring would suffice): 
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2.2. Protocol 2 (6j [TT]. Let i? be a public non-commutative ring (or a semiring), 
a,b £ R public elements such that ab ^ ba. 

(1) Alice picks two random polynomials Pi(x),p2(x) (say, with positive integer co- 
efficients) and sends pi(a) ■ P2(b) to Bob. 

(2) Bob picks two random polynomials qi(x),q2(x) and sends q±(a) ■ q2(b) to Alice. 

(3) Alice computes Ka = Pi(a) • (li(a) ■ 12(b)) • P2(b). 

(4) Bob computes K B = li(a) ■ (pi(a) ■ P2Q))) ■ 12(b). 

Thus, since pi(a) ■ 11(a) = 11(a) -pi(a) and P2Q)) ■ 12(b) = q2(b) -p2(b), Alice and Bob 
end up with the same element K = Ka = Kb which can serve as the shared secret key. 

It is Protocol 2 that we propose to adopt in the "tropical" situation. 

2.3. Protocol 3 (tropical). Let R be the tropical algebra ofnxn matrices over 
integers, and let A, B € R be public matrices such that A ® B ^ B <g> A. 

(1) Alice picks two random tropical polynomials Pi(x),p2(x) (with integer coeffi- 
cients) and sends pi(A) ® P2(B) to Bob. 

(2) Bob picks two random tropical polynomials q±(x),q2(x) and sends q\(A)§t>q2(B) 
to Alice. 

(3) Alice computes K A = P\(A) <g> (11(A) <g> 12(B)) ®p 2 (B). 

(4) Bob computes K B = q x (A) <g> (p±(A) ®p 2 (B)) <g> q 2 (B). 

Thus, since px(A)S>q 1 (A) = qi(A)<g>p 1 (A) and p 2 (B) ®q 2 (B) = q 2 (B) ® p 2 (B) , Alice 
and Bob end up with the same element K = Ka = Kb which can serve as the shared 
secret key. 

2.4. What are the advantages of the "tropical" Protocol 3 over "classical" 
Protocols 1 and 2? One obvious advantage is improved efficiency because when mul- 
tiplying matrices in the tropical sense, one does not have to perform any multiplications 
of numbers since tropical multiplication is the "usual" addition. 

To compare security, we briefly recall a linear algebra attack on Stickel's original 
protocol (Protocol 1), where G was a group of invertible matrices over a field. In that 
case, to recover a shared key K, it is not necessary to find the exponents n, m, r, or 
s. Instead, as was shown in [TT], it is sufficient for the adversary to find matrices x 
and y such that xa = ax, yb = by, and xu = y. (Here x corresponds to a~ n , while y 
corresponds to b m .) 

These conditions translate into a system of 3/c 2 linear equations with 2k 2 unknowns, 
where k is the size of the matrices. This typically yields a unique solution (according 
to computer experiments of [UJ and [10] ) , which can be efficiently found if the matrices 
are considered over a field. 

We note that in |10j . a more sophisticated attack on a more general Protocol 2 was 
offered. This attack applies to not necessarily invertible matrices over a field. 

In the "tropical" situation (Protocol 3), however, a linear algebra attack will not 
work, for several reasons: 
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(1) Matrices are generically not invertible, so the equation XY = U with known U 
and unknown X, Y does not translate into a system of linear equations. 

(2) The equations XA = AX, YB = BY do translate into a system of linear 
equations, which may be called a "two-sided min- linear system", following [2]. 
In [I], it is shown that the problem of solving such systems is in the class 
NP n Co — NP (there is a belief that it does not belong to the class P). We 
refer to [2] for a comprehensive exposition of what is known concerning existing 
algorithms for solving two-sided min-linear systems and their complexity. Here 
we just say that, while it is known how to find one of the solutions of a system 
(if a solution exists) , there is no known efficient method for describing the linear 
space of all solutions, in contrast with the "classical" situation. 

2.5. Parameters and key generation. Here we suggest values of the parameters 
involved in the description of our Protocol 3. 

• The size of matrices n = 10. 

• The entries of the public matrices A, B are integers, selected uniformly randomly 
in the range [-10 10 , 10 10 ]. 

• The degrees of the tropical polynomials pi(x),p2(x),qi(x),q2(x) are selected 
uniformly randomly in the range [1, 10]. 

• The coefficients of the above tropical polynomials are selected uniformly ran- 
domly in the range [—1000, 1000]. 

With these parameters, the size of the key space (for private tropical polynomials) 
is approximately 10 30 . 

3. Encryption using birational automorphisms of a tropical polynomial 

ALGEBRA 

In this section, we describe a public key encryption scheme that would be susceptible 
to a linear algebra attack in the "classical" case (cf. [9], [4]), but not in the "tropical" 
case. 

Let P = Rati x\, . . . , x n ] be the quotient semifield of a tropical polynomial algebra 
over Z. 

3.1. The protocol. There is a public automorphism a € Aut(P) given as a tuple of 
tropical rational functions (a(x\), . . . ,a(x n )). Alice's private key is a -1 . Note that a 
is also a bijection of the set Z n , i.e., it is a one-to-one map of the set of all n-tuples of 
integers onto itself. We will use the same notation a for an automorphism of P and for 
the corresponding bijection of Z n , hoping this will not cause a confusion. 

(1) Bob's secret message is a tuple of integers s = (s\, . . . , s n ) € Z n . Bob encrypts 
his tuple by applying the public automorphism a: E a (s) = a(si, . . . , s n ). 

(2) Alice decrypts by applying her private a -1 to the tuple E a (s): a -1 (E a (s)) = 
s = (si, . . . ,s n ). 
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3.2. Key generation. The crucial ingredient in this scheme is, of course, generating 
the public key a 6 Aut(P). Alice can generate her automorphism a as a product 
of "monomial" automorphisms on the set of variables {xi, . . . ,x n } and "triangular" 
automorphisms of the form 

(p : Xi ->• Xi ®Pi(x i+ i, . . . ,x n ), l<i<n, 

where pi G P = Rat[x±, . . . ,x n ]. Each triangular automorphism, in turn, is a product 
of "elementary" triangular automorphisms; these are of the form 

r:xj-> xj <g> qj(x j+1 , . . . ,x n ), x k ->• x k , k / j. 
The inverse of such a r is 

r _1 : Xj ->• xj (qj(x j+1 , . . .,x n )), x k x k ,k^ j, 

where qj € P. 

"Monomial" automorphisms are analogs of linear automorphisms in the "classical" 
situation; they are of the form 

fi: Xi-tbi® xf aa ® • • • <g> x® am , 

where bi are finite coefficients (i.e., ^ oo), and the matrix A = of integer 

exponents is invertible in the "classical" sense. 

We note, in passing, that a question of independent interest (independent of crypto- 
graphic applications) is: 

Problem 1. Is every automorphism of P = Rat[x±, . . . ,x n ], the quotient semifield of 
a tropical polynomial algebra over Z, a product of triangular and monomial automor- 
phisms ? 

3.3. Parameters. We suggest the following parameters. 

• The number n of variables in the platform tropical polynomial algebra: 10. 

• The number of triangular automorphisms in a product for a: 2. The number 
of monomial automorphisms: 3. More specifically, Alice generates her a in the 
following form: 

where yi, v?2 are triangular automorphisms, and ^1,^2,^3 are monomial auto- 
morphisms. 

• The tropical degrees of all qj are equal to 2. 

• The coefficients of the above tropical polynomials qj are selected uniformly 
randomly in the range [—10, 10]. 

Remark 1. Alice can obtain the inverse of a as the product of inverses of the auto- 
morphisms ifi and fii, in the reverse order. However, Alice does not have to compute 
an explicit expression for a~ l ; this computation may not be efficient since the degree 
of a" 1 may be substantially greater than the degree of a. In our protocol, Alice has to 
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apply a to a particular point in Z n ; efficient way of doing this is to first apply fi 3 , 
then apply ip^ 1 to the obtained point, etc. 

Remark 2. There is a ramification of the above protocol, where Bob's secret message is 
a tropical polynomial u, instead of a point in Z n . (Note that the result of encrypting u 
will be, in general, an element of P = Rat[x±, . . . ,x n ].) In this ramification, decryption 
is going to have a much higher computational complexity because Alice would have 
to compute an explicit expression for a^ 1 (cf. the previous remark). On the other 
hand, encryption in this case is going to be homomorphic (in the "tropical" sense) 
because a(u\ © U2) = a{u\) © a(u2) and a(u\ © U2) = a{u\) © a{u2). For examples of 
homomorphic encryption in the "classical" case see e.g. [5] or [7J. 

Remark 3. One can consider an encryption protocol, similar to the one above, also in 
the "classical" case. As we have already pointed out, polynomial automorphisms were 
employed in a similar context in [9], but birational automorphisms have not been used 
for cryptographic purposes before, to the best of our knowledge. 

3.4. Possible attacks. There are the following two attacks that adversary may at- 
tempt. 

(1) Trying to compute a -1 from the public automorphism a. The problem with 
this attack is that the degree of a" 1 may be exponentially greater than the 
degree of a, which makes any commonly used attack (e.g. a linear algebra 
attack) infeasible. 

(2) Trying to recover Bob's secret message s from a{s). This translates into a 
system of tropical polynomial equations; solving such a system is an NP-hard 
problem, as we show in the following proposition. 

Proposition 1. The problem of solving systems of tropical polynomial equations is 
NP-hard. 

Before getting to the proof, we note that for a closely related, but different, problem 
of emptiness of a tropical variety NP-completeness was established in p3] . 

Proof. We show how to reduce the SAT problem to the problem of solving a system 
of tropical polynomial equations. Recall that the SAT (for SATisfiability) problem is 
a decision problem, whose instance is a Boolean expression written using only AND, 
OR, NOT, variables, and parentheses. The question is: given the expression, is there 
some assignment of TRUE (=1) and FALSE (=0) values to the variables that will make 
the entire expression true? A formula of propositional logic is said to be satisfiable if 
logical values can be assigned to its variables in a way that makes the formula true. The 
Boolean satisfiability problem is NP-complete [3]. The problem remains NP-complete 
even if all expressions are written in conjunctive normal form with 3 variables per clause 
(3-CNF), yielding the 3-SAT problem. 

Suppose now we have a 3-CNF, and we are going to build (in time polynomial in 
the number of clauses) a system of tropical polynomial equations that has a solution 
if and only if the given 3-CNF is satisfiable. Denote Boolean variables in the given 
3-CNF by itj. In our tropical system, we are going to have two kinds of variables: those 
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corresponding to literals Ui will be denoted by Xi, and those corresponding to literals 
-■Mi will be denoted by j/j. 

First of all, we include in our tropical system all equations of the form Xi®yi = 1, for 
all i. 

Now suppose we have a clause with 3 literals, for example, u.; V -^Uj V ->Ufc. To this 
clause, we correspond the following tropical polynomial equation: 

Ui ® Xj ® Xfc = 0. 

Obviously, the above clause is TRUE if and only if either m = 1, or Uj = 0, or ut = 0. 
If Ui = 1, then yi = 0, and our tropical equation is satisfied. If, say, Uj = 1, then 
Xj = 0, and again our tropical equation is satisfied. This shows that if a given 3-CNF 
is satisfiable, then our tropical equation has a solution. 

If, on the other hand, our tropical equation has a solution, that means either yi = 0, 
or Xj = 0, or Xk = 0. In any case, the given clause is easily seen to be TRUE upon 
corresponding u; t to x^ and -iUj to y^. (Note that if, say, yi = 0, then, since we also 
have the equation %i ® yi = 1, X{ should be equal to 1.) 

Having thus built a tropical equation for each clause in the given 3-CNF, we end up 
with a system of tropical polynomial equations that corresponds to the whole 3-CNF, 
which is solvable if and only if the given 3-CNF is satisfiable. This completes the proof. 

□ 
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